SlideShare une entreprise Scribd logo

The Android vs. Apple iOS Security Showdown

Tom Eston
Tom Eston

Android and Apple mobile devices have taken the market by storm.  Not only are they being used by consumers but they are now being used for critical functions in businesses, hospitals, government and more.   This trend is expected to continue with the popularity of mobile devices such as tablets well into the future.  In this presentation we put Android up against Apple iOS to determine which, if any, are ready for enterprise or federal use.  Once and for all we battle the Apple App Store vs. Google Play, device updates, developer controls, security features and the current slew of vulnerabilities for both devices.  Which platform will emerge the victor?  You might find that while the "tech is hot" the implementation and built in security controls are "not". 

Technologie
1  sur  69
Télécharger pour lire hors ligne
Android vs. Apple iOS Security Showdown Tom Eston
About Your Presenter • Tom Eston CISSP, GWAPT • Manger of the SecureState Profiling & Penetration Team • Specializing in Attack & Penetration, Mobile Security • Founder of SocialMediaSecurity.com • Facebook Privacy & Security Guide • Security Blogger – SpyLogic.net • Co-host of Social Media Security Podcast • National Presenter Black Hat USA, DEFCON, ShmooCon, SANS, OWASP 2
Agenda • The Latest Statistics on Android vs. Apple iOS • Android and Apple iOS Overview – Versions & Features • What are the issues, what are the security concerns? • The “SHOWDOWN”! – Each feature compared between Android and Apple iOS…who will win?? • Mobile Device Best Practices 3
Android? 4
Apple? 5
It’s a SHOWDOWN! Image: PinoyTutorial.com 6
Android - Latest Statistics • 300 Million Devices Sold (as of February 2012) • 450,000 apps in the Android Market (Google Play) 7
Apple iOS - Latest Statistics • 316 Million iOS Devices Sold (as of February 2012) • Increase due to Verizon/Sprint now selling Apple devices • 500,000 apps in the Apple App Store 8
9
What Do We See? • Apple iOS is the most talked about, more widely deployed – iPad’s are hot! • Android a close second • BlackBerry third • Windows Mobile fourth • webOS or Symbian OS? 10
Android: Current Versions • Jelly Bean 4.1.1 – Tablet (Nexus 7) and Nexus Phone • Honeycomb 3.2.6 – Tablet only (Motorola Xoom) • Updates are periodic. No set schedule by Google. • Updates to the device depend on the hardware manufacturer and the cell carrier • Samsung Galaxy Nexus and the Nexus 7 tablet get updates immediately from Google (this is the ‘Google Phone/Tablet’) 11
Apple iOS: Current Versions • Not to be confused with Cisco “IOS” • Apple changed the name to “iOS” in June 2010 • Updated at least once a quarter, mostly minor revisions • Current version(s): – All carriers (GSM/CDMA) = 5.1.1 – iOS 6 in Beta 2 • iOS 5 fully supports iPhone 4/4S, iPhone 3GS, iPod Touch 3/4 gen, iPad 1-3 12
Mobile Security Concerns • App Store and Mobile Malware • App Sandboxing • Remote Wipe and Policy Enforcement • Device and App Encryption • OS Updates • Jailbreaking and Rooting • New(er) Technology 13
App Stores and Mobile Malware • Android Marketplace (now Google Play) – Very little application vetting, previous issues with Malware in the Marketplace (working on improving this) – Hot target for malware and malicious apps – Easy to get users to install popular “fake” apps outside Google Play 14
Recent Mobile Malware Statistics • Juniper Networks’ 2011 Mobile Malware Threats Report – 13,302 samples of malware found targeting Android from June to December 2011 – “0” samples of malware found targeting Apple iOS (seriously…) Source: http://www.juniper.net/us/en/local/pdf/additional- resources/jnpr-2011-mobile-threats-report.pdf 15
Legend of Zelda on Android? This would be awesome if true! ☺ http://nakedsecurity.sophos.com/20 12/04/26/dirty-tricks-android-apps/ 16
Angry Birds from Unofficial App Stores • Disguised as a Trojan horse • Uses the “GingerBreak” exploit to root the device • Your device becomes part of a botnet http://nakedsecurity.sophos.com/2012/04/12/a ndroid-malware-angry-birds-space-game/ 17
Easy to Ignore Android App Permissions • Reminder: Some apps can do things you didn’t know about – Example: Launching the web browser 18
Example: Fake Instagram App 19
App Stores and Mobile Malware • Apple App Store – Developers must pay $99 – Submit identifying documents (SSN or articles of incorporation for a company) • Google Play – Developers must pay $25 – Agree to a “Developers Distribution Agreement” – Easy to upload lots of apps and resign if apps get rejected or banned 20
App Stores and Mobile Malware • Apple App Store – Vetting process for each app in the store – Must pass Apple’s “checks” (static analysis of binaries) – Code for each app is digitally signed by Apple, not the developer • Process was exploited by Charlie Miller in November of 2011 – Created an “approved” app which was digitally signed – The app later downloaded unsigned code which could modify the OS dynamically – Was a bug in iOS 4.3/5.0 21
Apple’s Problem? Questionable Apps • 90% of submissions to the Apple App Store are denied because the app doesn’t do what it says it does • Spammy apps…mainly privacy issues such as UDID usage • Jailbroken device? More susceptible to malware from unauthorized app repositories (Cydia) • Apps that look like legitimate apps: – Temple Run -> Temple Guns -> Temple Jump – Angry Birds -> Angry Ninja Birds -> Angry Zombie Birds – Zombie Highway -> Zombie Air Highway 22
Angry Zombie Birds is Real! 23
…and it’s horrible! FAIL! 24
Apple: Very Little App Permissions Shown To Users • Mainly for privacy • Apps are limited to what they can do • * Apps can access contact data without permission (will be fixed in iOS 6) • Developers can do this on their own (Yelp)… 25
26
Recent Apple “Find and Call Malware” • First “Trojan” for Apple iOS? • Really it was a spammy app that sent your contact list to a third- party server • Your friends get SMS spammed from the server • Contact list notification to be added in iOS 6 • App removed from the App Store and Google Play Image: Kaspersky Labs 27
Winner: Apple iOS • Apple’s “walled garden” works better than Android’s “open garden” (at least for now) • However, still not immune from spammy, fake or potentially malicious apps (or really bad games)! 28
Android: App Sandboxing • Privileged-Separated Operating System – Each app runs with a distinct system identity • Unique Linux user ID and group ID for each app • No app, by default, has permissions to perform operations that would impact other apps, the OS, or the user (Android Developer Docs) – The app grants permissions outside the default “sandbox” • Location based services can only be disabled globally, not on a per app basis – Apps are “signed” by the developer (not Google) and can be self-signed certificates (not a security feature) 29
Android: App Sandboxing – Google “community based” enforcement • If the app is malicious or not working correctly the App community will correct the problem (in theory) – Rooted device? Too bad…root can access the keystore! • Apps can write to the SD Card (removable storage) – Files written to external storage are globally readable and writable 30
Apple iOS: App Sandboxing • Each app is installed in its own container • If the app is compromised via exploit, the attacker is limited to that container • Jailbroken device? Ignore the last bullet point… Image: iOS Developer Library (developer.apple.com) 31
Apple iOS: App Sandboxing • Each app is signed by Apple (not the developer) • Apps run as the “mobile” user • The Keychain is provided by Apple outside the sandbox for password or sensitive data storage • Apps can only access Keychain content for the application – Also a “device protection” API can be used by developers – Note: There are tools to dump the Keychain but the device has to be Jailbroken (in some form) • Apple does not use external storage devices (SD Cards) 32
Winner: Apple iOS (by a nose) • Apple signs all applications • Limited areas to store app data • Permissions system is simpler for users – Example: More granular control of location based settings • Keychain and device protection APIs help (if developers use them) 33
Remote Wipe and Policy Enforcement • Android – Google Apps Device Policy ($$) – Third-Party App ($$) – Third-Party MDM (Mobile Device Management) ($$) – Microsoft Exchange ActiveSynch • Apple iOS – Google Apps Device Policy ($$) – Apple OS X Lion Server Profile Manager ($$) – FindMyPhone (Free) – iPhone Configuration Utility (Free) – Third-Party MDM ($$) – Microsoft Exchange ActiveSynch 34
Android: Remote Wipe • Google Apps Device Policy (Full MDM) – Need a Google Apps Business Account – Can manage multiple devices • iOS, Windows Mobile and Android 35
36
Apple iOS: FindMyPhone • Free and easy way to remote wipe or find a lost or stolen device • Accessible via icloud.com 37
Android: Policy Enforcement • Android Device Administration API – Encrypt data stored locally – Require password – Password strength – Minimum characters – Password expiration – Block previous passwords – Device auto lock – Device auto wipe after failed password attempts – Allow camera (not supported on Android, only iOS) – Encrypt device (whole disk) – Remote wipe/lock 38
Android Policy Enforcement • No free utility to provision or create profiles • Need to create an app to install specific settings • Android provides little guidance on how to deploy this app • Users must activate the app for policies to take effect 39
Apple iOS: Policy Enforcement • Very detailed settings available: – Passcode – Wi-Fi – VPN – Proxy – LDAP – Exchange ActiveSynch – App/Camera and other Restrictions – …and more! 40
iPhone Configuration Utility 41
Winner: Apple iOS • Free remote wipe utility (FindMyPhone) • Much more granular enterprise controls • Free small scale MDM (iPhone Configuration Utility) • Easier to implement policies 42
Device and App Encryption • Android – No device encryption on Android < 3.0 – Device encryption API released in “Ice Cream Sandwich – 4.0” – Based on dm-crypt (disk encryption) – API available since 3.0 for app level encryption 43
Device and App Encryption • Apple iOS Hardware Encryption – Hardware encryption was introduced with the iPhone 3GS – Secures all data “at rest” – Hardware encryption is meant to allow remote wipe by removing the encryption key for the device – Once the hardware key is removed, the device is useless – Full MDM API’s available 44
Device and App Encryption • Apple iOS Device Protection – “Device Protection” different than “Hardware Encryption” – This is Apple’s attempt at layered security • Adds another encryption layer by encrypting application data • Key is based off of the user’s Passcode. – Only Mail.app currently supports this – Many developers are not using the APIs – Often confused with Hardware Encryption 45
Winner: Apple iOS • Slight edge to Apple for having hardware based encryption • Device Protection API more robust than Android • Developer documentation +1 for Apple 46
OS Updates • Android – Slow patching, if at all! – OTA updates – A lot depends on forces outside of Google – Some devices will not support the latest version of Android…ever! – Google releases the update or patch, device maker customizes it, then carrier customizes it as well… 47
48
Android Device Fragmentation *3,997 distinct devices downloaded OpenSignalMaps app in 6 months: http://opensignalmaps.com/reports/fragmentation.php? 49
OS Updates • Apple iOS – Frequent updates (at least once a quarter) – Easier for Apple because the hardware is the same, not device manufacturer or carrier dependent – iOS 5 brings OTA updates 50
Winner: Apple iOS • Same hardware, updates from one source = easier and faster to update • Track record of (more) quickly addressing security issues 51
Jailbreaking and Rooting “Jailbreaking essentially reduces iOS security to the level of Android…” – Dino Dai Zovi, iOS Hacker 52
Rooting on Android • Allows “root” access (super user) to the device • Why do people “root”? – Access the flash memory chip (modify or install a custom ROM) – Make apps run faster – Remove device or carrier apps – Turn the phone into a WiFi hotspot to avoid carrier fees – Allows “Unlocking” so the device can be used with another cell provider • Rooting is LEGAL in the United States – Digital Millennium Copyright Act (DMCA 2010) 53
Rooting Process on Android 54
Jailbreaking on Apple iOS • Full access to the OS and file system • Install applications and themes not approved by Apple (via installers like Cydia) • Tether their iOS device to bypass carrier restrictions • They hate Apple’s communist and elitist restrictions • Jailbreaking is LEGAL in the United States – Digital Millennium Copyright Act (DMCA 2010) 55
Jailbreaking Tools • Pwnage Tool • Redsn0w • Sn0wbreeze • GreenPois0n Absinthe • Jailbreakme.com • LimeRa1n exploit used for most Jailbreaks 56
New Jailbreaks • Latest versions of Absinthe and redsn0w can Jailbreak all new Apple devices running 5.1.1 (4S and the “new” iPad) • iOS 6 beta already jailbroken (tethered only) • iPhone dev-team does fantastic work! 57
Winner? None! • Rooting and jailbreaking are bad for the security of the device! • Malware for Android takes advantage of this…and in some cases roots the device for you • Previous iOS “worm’s” that look for SSH ports from jailbroken devices • Removes built in sandbox restrictions • MDM needs to prevent and/or detect rooted and jailbroken devices! (you should also have a policy) 58
New(er) Mobile Technology • Both devices are coming out with more innovative features which have interesting security considerations • Android 4.0 has facial recognition to unlock the device – Potential issue with the “swipe pattern” feature vs. standard passcode unlock • ASLR (Address Space Layout Randomization) – New in Android 4.0 – Support since iOS 4.3 – Developers have to take advantage of this! – * Kernel ASLR added in iOS 6 59
New(er) Mobile Technology • Android: NFC – Android Beam – Let’s see how NFC gets attacked at Black Hat USA this year… 60
New(er) Mobile Technology • Android: NFC – Google Wallet 61
New(er) Mobile Technology • Apple iPhone 4S – Siri Voice Control • Allows commands by default on a locked device • Send emails/text’s and more… Image: Sophos 62
Mobile Device Best Practices (for Android or Apple iOS) ☺ 63
The Passcode • You should always have a passcode • You should require it immediately • It should be > 4 characters, 6 is recommended 6 character Alphanumeric = 196 years to brute force! – Why so long? You have to do the attack on the device… • It should be complex • Enable lockout/wipe feature after 10 attempts
Enable Remote Management • For true Enterprise level management you must use a third-party MDM – Decide which type of enrollment is best for you – Whitelist approach may be best • Allow only devices you have authorized • BYOD: policy sign-off?
Don’t Allow Rooting or Jailbreaking • Removes some built-in security features and sandboxing • Can leave you vulnerable to malicious applications • Ensure third-party MDM solutions prevent or detect rooting/jailbreaking • Address this in your mobile device policy
Android Specific Best Practices • Enable Password Lock Screen vs. Face Unlock or Pattern • Disable USB Debugging • Enable Full Disk Encryption • Download apps only from official app stores – Google Play – Amazon 67
Where to Find More Information • Links to all the tools and articles mentioned in this presentation: http://MobileDeviceSecurity.info • My presentations: http://SpyLogic.net
Thank you for your time! Email: teston@securestate.com Twitter: agent0x0 QUESTIONS ANSWERS 69

Recommandé

Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoT
Amy Daly
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of things
sreelekha appakondappagari
 
Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)
Ahsanul Karim
 
Introduction to android
Introduction to androidIntroduction to android
Introduction to android
zeelpatel0504
 
Latest Trends in Mobile App Development
Latest Trends in Mobile App DevelopmentLatest Trends in Mobile App Development
Latest Trends in Mobile App Development
Dipesh Mukerji
 
Introduction To Mobile Application Development
Introduction To Mobile Application DevelopmentIntroduction To Mobile Application Development
Introduction To Mobile Application Development
Syed Absar
 

Recommandé

Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoT
Amy Daly
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of things
sreelekha appakondappagari
 
Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)Day: 1 Introduction to Mobile Application Development (in Android)
Day: 1 Introduction to Mobile Application Development (in Android)
Ahsanul Karim
 
Introduction to android
Introduction to androidIntroduction to android
Introduction to android
zeelpatel0504
 
Latest Trends in Mobile App Development
Latest Trends in Mobile App DevelopmentLatest Trends in Mobile App Development
Latest Trends in Mobile App Development
Dipesh Mukerji
 
Introduction To Mobile Application Development
Introduction To Mobile Application DevelopmentIntroduction To Mobile Application Development
Introduction To Mobile Application Development
Syed Absar
 
Mobile App Development
Mobile App DevelopmentMobile App Development
Mobile App Development
Chris Morrell
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber security
sajid mehmood
 
Ios operating system
Ios operating systemIos operating system
Ios operating system
Khaja Moiz Uddin
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
noornabi16
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
IOT Security
IOT SecurityIOT Security
IOT Security
Sylvain Martinez
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
Talha Kabakus
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoT
gr9293
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
LakshayNRReddy
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
Lookout
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Mobile security
Mobile securityMobile security
Mobile security
Mphasis
 
Mobile Application Development Process
Mobile Application Development ProcessMobile Application Development Process
Mobile Application Development Process
ChromeInfo Technologies
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
Cloudflare
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
Venkatesh Chary
 
IOS vs Android presentation by Saikrishna
IOS vs Android presentation by SaikrishnaIOS vs Android presentation by Saikrishna
IOS vs Android presentation by Saikrishna
Saikrishna Tanguturu
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 

Contenu connexe

Tendances

Mobile App Development
Mobile App DevelopmentMobile App Development
Mobile App Development
Chris Morrell
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
Talha Kabakus
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Mobile Application Development Process
Mobile Application Development ProcessMobile Application Development Process
Mobile Application Development Process
ChromeInfo Technologies
 

Tendances (20)

Mobile App Development
Mobile App DevelopmentMobile App Development
Mobile App Development
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber security
 
Ios operating system
Ios operating systemIos operating system
Ios operating system
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoT
 
Android security
Android securityAndroid security
Android security
 
Malware ppt final.pptx
Malware ppt final.pptxMalware ppt final.pptx
Malware ppt final.pptx
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile Application Development Process
Mobile Application Development ProcessMobile Application Development Process
Mobile Application Development Process
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
 
Android Security
Android SecurityAndroid Security
Android Security
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
IOS vs Android presentation by Saikrishna
IOS vs Android presentation by SaikrishnaIOS vs Android presentation by Saikrishna
IOS vs Android presentation by Saikrishna
 

En vedette

Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Tom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile Technology
Tom Eston
 
Beyond App Store - Distribution of iOS Applications
Beyond App Store - Distribution of iOS ApplicationsBeyond App Store - Distribution of iOS Applications
Beyond App Store - Distribution of iOS Applications
let's dev GmbH & Co. KG
 
Mobile device management and byod – major players
Mobile device management and byod – major playersMobile device management and byod – major players
Mobile device management and byod – major players
Waterstons Ltd
 
Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os features
Guang Ying Yuan
 

En vedette (20)

Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
 
ppt on android vs iOS
ppt on android vs iOSppt on android vs iOS
ppt on android vs iOS
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Tactical Information Gathering
Tactical Information GatheringTactical Information Gathering
Tactical Information Gathering
 
Apple iOS
Apple iOSApple iOS
Apple iOS
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
 
Using Android Beyond Phones
Using Android Beyond PhonesUsing Android Beyond Phones
Using Android Beyond Phones
 
Webinar: Insights from CYREN's 2015 Cyber Threats Yearbook
Webinar: Insights from CYREN's 2015 Cyber Threats YearbookWebinar: Insights from CYREN's 2015 Cyber Threats Yearbook
Webinar: Insights from CYREN's 2015 Cyber Threats Yearbook
 
Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile Technology
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
 
Ios seminar
Ios seminarIos seminar
Ios seminar
 
Android vs. Apple
Android vs. AppleAndroid vs. Apple
Android vs. Apple
 
Beyond App Store - Distribution of iOS Applications
Beyond App Store - Distribution of iOS ApplicationsBeyond App Store - Distribution of iOS Applications
Beyond App Store - Distribution of iOS Applications
 
Mobile device management and byod – major players
Mobile device management and byod – major playersMobile device management and byod – major players
Mobile device management and byod – major players
 
"iPhone vs Andriod," Anthony Hand
"iPhone vs Andriod," Anthony Hand"iPhone vs Andriod," Anthony Hand
"iPhone vs Andriod," Anthony Hand
 
Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os features
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile Security
 

Similaire à The Android vs. Apple iOS Security Showdown

Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilities
FFRI, Inc.
 

Similaire à The Android vs. Apple iOS Security Showdown (20)

NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Android vs iOS
Android vs iOSAndroid vs iOS
Android vs iOS
 
Android vs ios
Android vs iosAndroid vs ios
Android vs ios
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Saravanan iOS vs Android
Saravanan iOS vs AndroidSaravanan iOS vs Android
Saravanan iOS vs Android
 
Saravanan iOS vs Android
Saravanan iOS vs AndroidSaravanan iOS vs Android
Saravanan iOS vs Android
 
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...
 
Android
AndroidAndroid
Android
 
Road Ahead For Mobile Game Development
Road Ahead For Mobile Game DevelopmentRoad Ahead For Mobile Game Development
Road Ahead For Mobile Game Development
 
How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilities
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
Nga hiền-lài -nhung (1)
Nga hiền-lài -nhung (1)Nga hiền-lài -nhung (1)
Nga hiền-lài -nhung (1)
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
 
Android vs ios
Android vs iosAndroid vs ios
Android vs ios
 
Android overview
Android overviewAndroid overview
Android overview
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Comparing Apples and Androids
Comparing Apples and AndroidsComparing Apples and Androids
Comparing Apples and Androids
 

Plus de Tom Eston

Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
Tom Eston
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Tom Eston
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and Uncensored
Tom Eston
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More Brains
Tom Eston
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Tom Eston
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-Middle
Tom Eston
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network Bots
Tom Eston
 

Plus de Tom Eston (14)

Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and Uncensored
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More Brains
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
 
Staying Safe & Secure on Twitter
Staying Safe & Secure on TwitterStaying Safe & Secure on Twitter
Staying Safe & Secure on Twitter
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-Middle
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network Bots
 
Information Gathering With Maltego
Information Gathering With MaltegoInformation Gathering With Maltego
Information Gathering With Maltego
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
Online Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyOnline Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safely
 

Dernier

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Dernier (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 

The Android vs. Apple iOS Security Showdown

  • 1. Android vs. Apple iOS Security Showdown Tom Eston
  • 2. About Your Presenter • Tom Eston CISSP, GWAPT • Manger of the SecureState Profiling & Penetration Team • Specializing in Attack & Penetration, Mobile Security • Founder of SocialMediaSecurity.com • Facebook Privacy & Security Guide • Security Blogger – SpyLogic.net • Co-host of Social Media Security Podcast • National Presenter Black Hat USA, DEFCON, ShmooCon, SANS, OWASP 2
  • 3. Agenda • The Latest Statistics on Android vs. Apple iOS • Android and Apple iOS Overview – Versions & Features • What are the issues, what are the security concerns? • The “SHOWDOWN”! – Each feature compared between Android and Apple iOS…who will win?? • Mobile Device Best Practices 3
  • 5. Apple? 5
  • 6. It’s a SHOWDOWN! Image: PinoyTutorial.com 6
  • 7. Android - Latest Statistics • 300 Million Devices Sold (as of February 2012) • 450,000 apps in the Android Market (Google Play) 7
  • 8. Apple iOS - Latest Statistics • 316 Million iOS Devices Sold (as of February 2012) • Increase due to Verizon/Sprint now selling Apple devices • 500,000 apps in the Apple App Store 8
  • 9. 9
  • 10. What Do We See? • Apple iOS is the most talked about, more widely deployed – iPad’s are hot! • Android a close second • BlackBerry third • Windows Mobile fourth • webOS or Symbian OS? 10
  • 11. Android: Current Versions • Jelly Bean 4.1.1 – Tablet (Nexus 7) and Nexus Phone • Honeycomb 3.2.6 – Tablet only (Motorola Xoom) • Updates are periodic. No set schedule by Google. • Updates to the device depend on the hardware manufacturer and the cell carrier • Samsung Galaxy Nexus and the Nexus 7 tablet get updates immediately from Google (this is the ‘Google Phone/Tablet’) 11
  • 12. Apple iOS: Current Versions • Not to be confused with Cisco “IOS” • Apple changed the name to “iOS” in June 2010 • Updated at least once a quarter, mostly minor revisions • Current version(s): – All carriers (GSM/CDMA) = 5.1.1 – iOS 6 in Beta 2 • iOS 5 fully supports iPhone 4/4S, iPhone 3GS, iPod Touch 3/4 gen, iPad 1-3 12
  • 13. Mobile Security Concerns • App Store and Mobile Malware • App Sandboxing • Remote Wipe and Policy Enforcement • Device and App Encryption • OS Updates • Jailbreaking and Rooting • New(er) Technology 13
  • 14. App Stores and Mobile Malware • Android Marketplace (now Google Play) – Very little application vetting, previous issues with Malware in the Marketplace (working on improving this) – Hot target for malware and malicious apps – Easy to get users to install popular “fake” apps outside Google Play 14
  • 15. Recent Mobile Malware Statistics • Juniper Networks’ 2011 Mobile Malware Threats Report – 13,302 samples of malware found targeting Android from June to December 2011 – “0” samples of malware found targeting Apple iOS (seriously…) Source: http://www.juniper.net/us/en/local/pdf/additional- resources/jnpr-2011-mobile-threats-report.pdf 15
  • 16. Legend of Zelda on Android? This would be awesome if true! ☺ http://nakedsecurity.sophos.com/20 12/04/26/dirty-tricks-android-apps/ 16
  • 17. Angry Birds from Unofficial App Stores • Disguised as a Trojan horse • Uses the “GingerBreak” exploit to root the device • Your device becomes part of a botnet http://nakedsecurity.sophos.com/2012/04/12/a ndroid-malware-angry-birds-space-game/ 17
  • 18. Easy to Ignore Android App Permissions • Reminder: Some apps can do things you didn’t know about – Example: Launching the web browser 18
  • 20. App Stores and Mobile Malware • Apple App Store – Developers must pay $99 – Submit identifying documents (SSN or articles of incorporation for a company) • Google Play – Developers must pay $25 – Agree to a “Developers Distribution Agreement” – Easy to upload lots of apps and resign if apps get rejected or banned 20
  • 21. App Stores and Mobile Malware • Apple App Store – Vetting process for each app in the store – Must pass Apple’s “checks” (static analysis of binaries) – Code for each app is digitally signed by Apple, not the developer • Process was exploited by Charlie Miller in November of 2011 – Created an “approved” app which was digitally signed – The app later downloaded unsigned code which could modify the OS dynamically – Was a bug in iOS 4.3/5.0 21
  • 22. Apple’s Problem? Questionable Apps • 90% of submissions to the Apple App Store are denied because the app doesn’t do what it says it does • Spammy apps…mainly privacy issues such as UDID usage • Jailbroken device? More susceptible to malware from unauthorized app repositories (Cydia) • Apps that look like legitimate apps: – Temple Run -> Temple Guns -> Temple Jump – Angry Birds -> Angry Ninja Birds -> Angry Zombie Birds – Zombie Highway -> Zombie Air Highway 22
  • 23. Angry Zombie Birds is Real! 23
  • 25. Apple: Very Little App Permissions Shown To Users • Mainly for privacy • Apps are limited to what they can do • * Apps can access contact data without permission (will be fixed in iOS 6) • Developers can do this on their own (Yelp)… 25
  • 26. 26
  • 27. Recent Apple “Find and Call Malware” • First “Trojan” for Apple iOS? • Really it was a spammy app that sent your contact list to a third- party server • Your friends get SMS spammed from the server • Contact list notification to be added in iOS 6 • App removed from the App Store and Google Play Image: Kaspersky Labs 27
  • 28. Winner: Apple iOS • Apple’s “walled garden” works better than Android’s “open garden” (at least for now) • However, still not immune from spammy, fake or potentially malicious apps (or really bad games)! 28
  • 29. Android: App Sandboxing • Privileged-Separated Operating System – Each app runs with a distinct system identity • Unique Linux user ID and group ID for each app • No app, by default, has permissions to perform operations that would impact other apps, the OS, or the user (Android Developer Docs) – The app grants permissions outside the default “sandbox” • Location based services can only be disabled globally, not on a per app basis – Apps are “signed” by the developer (not Google) and can be self-signed certificates (not a security feature) 29
  • 30. Android: App Sandboxing – Google “community based” enforcement • If the app is malicious or not working correctly the App community will correct the problem (in theory) – Rooted device? Too bad…root can access the keystore! • Apps can write to the SD Card (removable storage) – Files written to external storage are globally readable and writable 30
  • 31. Apple iOS: App Sandboxing • Each app is installed in its own container • If the app is compromised via exploit, the attacker is limited to that container • Jailbroken device? Ignore the last bullet point… Image: iOS Developer Library (developer.apple.com) 31
  • 32. Apple iOS: App Sandboxing • Each app is signed by Apple (not the developer) • Apps run as the “mobile” user • The Keychain is provided by Apple outside the sandbox for password or sensitive data storage • Apps can only access Keychain content for the application – Also a “device protection” API can be used by developers – Note: There are tools to dump the Keychain but the device has to be Jailbroken (in some form) • Apple does not use external storage devices (SD Cards) 32
  • 33. Winner: Apple iOS (by a nose) • Apple signs all applications • Limited areas to store app data • Permissions system is simpler for users – Example: More granular control of location based settings • Keychain and device protection APIs help (if developers use them) 33
  • 34. Remote Wipe and Policy Enforcement • Android – Google Apps Device Policy ($$) – Third-Party App ($$) – Third-Party MDM (Mobile Device Management) ($$) – Microsoft Exchange ActiveSynch • Apple iOS – Google Apps Device Policy ($$) – Apple OS X Lion Server Profile Manager ($$) – FindMyPhone (Free) – iPhone Configuration Utility (Free) – Third-Party MDM ($$) – Microsoft Exchange ActiveSynch 34
  • 35. Android: Remote Wipe • Google Apps Device Policy (Full MDM) – Need a Google Apps Business Account – Can manage multiple devices • iOS, Windows Mobile and Android 35
  • 36. 36
  • 37. Apple iOS: FindMyPhone • Free and easy way to remote wipe or find a lost or stolen device • Accessible via icloud.com 37
  • 38. Android: Policy Enforcement • Android Device Administration API – Encrypt data stored locally – Require password – Password strength – Minimum characters – Password expiration – Block previous passwords – Device auto lock – Device auto wipe after failed password attempts – Allow camera (not supported on Android, only iOS) – Encrypt device (whole disk) – Remote wipe/lock 38
  • 39. Android Policy Enforcement • No free utility to provision or create profiles • Need to create an app to install specific settings • Android provides little guidance on how to deploy this app • Users must activate the app for policies to take effect 39
  • 40. Apple iOS: Policy Enforcement • Very detailed settings available: – Passcode – Wi-Fi – VPN – Proxy – LDAP – Exchange ActiveSynch – App/Camera and other Restrictions – …and more! 40
  • 42. Winner: Apple iOS • Free remote wipe utility (FindMyPhone) • Much more granular enterprise controls • Free small scale MDM (iPhone Configuration Utility) • Easier to implement policies 42
  • 43. Device and App Encryption • Android – No device encryption on Android < 3.0 – Device encryption API released in “Ice Cream Sandwich – 4.0” – Based on dm-crypt (disk encryption) – API available since 3.0 for app level encryption 43
  • 44. Device and App Encryption • Apple iOS Hardware Encryption – Hardware encryption was introduced with the iPhone 3GS – Secures all data “at rest” – Hardware encryption is meant to allow remote wipe by removing the encryption key for the device – Once the hardware key is removed, the device is useless – Full MDM API’s available 44
  • 45. Device and App Encryption • Apple iOS Device Protection – “Device Protection” different than “Hardware Encryption” – This is Apple’s attempt at layered security • Adds another encryption layer by encrypting application data • Key is based off of the user’s Passcode. – Only Mail.app currently supports this – Many developers are not using the APIs – Often confused with Hardware Encryption 45
  • 46. Winner: Apple iOS • Slight edge to Apple for having hardware based encryption • Device Protection API more robust than Android • Developer documentation +1 for Apple 46
  • 47. OS Updates • Android – Slow patching, if at all! – OTA updates – A lot depends on forces outside of Google – Some devices will not support the latest version of Android…ever! – Google releases the update or patch, device maker customizes it, then carrier customizes it as well… 47
  • 48. 48
  • 49. Android Device Fragmentation *3,997 distinct devices downloaded OpenSignalMaps app in 6 months: http://opensignalmaps.com/reports/fragmentation.php? 49
  • 50. OS Updates • Apple iOS – Frequent updates (at least once a quarter) – Easier for Apple because the hardware is the same, not device manufacturer or carrier dependent – iOS 5 brings OTA updates 50
  • 51. Winner: Apple iOS • Same hardware, updates from one source = easier and faster to update • Track record of (more) quickly addressing security issues 51
  • 52. Jailbreaking and Rooting “Jailbreaking essentially reduces iOS security to the level of Android…” – Dino Dai Zovi, iOS Hacker 52
  • 53. Rooting on Android • Allows “root” access (super user) to the device • Why do people “root”? – Access the flash memory chip (modify or install a custom ROM) – Make apps run faster – Remove device or carrier apps – Turn the phone into a WiFi hotspot to avoid carrier fees – Allows “Unlocking” so the device can be used with another cell provider • Rooting is LEGAL in the United States – Digital Millennium Copyright Act (DMCA 2010) 53
  • 54. Rooting Process on Android 54
  • 55. Jailbreaking on Apple iOS • Full access to the OS and file system • Install applications and themes not approved by Apple (via installers like Cydia) • Tether their iOS device to bypass carrier restrictions • They hate Apple’s communist and elitist restrictions • Jailbreaking is LEGAL in the United States – Digital Millennium Copyright Act (DMCA 2010) 55
  • 56. Jailbreaking Tools • Pwnage Tool • Redsn0w • Sn0wbreeze • GreenPois0n Absinthe • Jailbreakme.com • LimeRa1n exploit used for most Jailbreaks 56
  • 57. New Jailbreaks • Latest versions of Absinthe and redsn0w can Jailbreak all new Apple devices running 5.1.1 (4S and the “new” iPad) • iOS 6 beta already jailbroken (tethered only) • iPhone dev-team does fantastic work! 57
  • 58. Winner? None! • Rooting and jailbreaking are bad for the security of the device! • Malware for Android takes advantage of this…and in some cases roots the device for you • Previous iOS “worm’s” that look for SSH ports from jailbroken devices • Removes built in sandbox restrictions • MDM needs to prevent and/or detect rooted and jailbroken devices! (you should also have a policy) 58
  • 59. New(er) Mobile Technology • Both devices are coming out with more innovative features which have interesting security considerations • Android 4.0 has facial recognition to unlock the device – Potential issue with the “swipe pattern” feature vs. standard passcode unlock • ASLR (Address Space Layout Randomization) – New in Android 4.0 – Support since iOS 4.3 – Developers have to take advantage of this! – * Kernel ASLR added in iOS 6 59
  • 60. New(er) Mobile Technology • Android: NFC – Android Beam – Let’s see how NFC gets attacked at Black Hat USA this year… 60
  • 61. New(er) Mobile Technology • Android: NFC – Google Wallet 61
  • 62. New(er) Mobile Technology • Apple iPhone 4S – Siri Voice Control • Allows commands by default on a locked device • Send emails/text’s and more… Image: Sophos 62
  • 63. Mobile Device Best Practices (for Android or Apple iOS) ☺ 63
  • 64. The Passcode • You should always have a passcode • You should require it immediately • It should be > 4 characters, 6 is recommended 6 character Alphanumeric = 196 years to brute force! – Why so long? You have to do the attack on the device… • It should be complex • Enable lockout/wipe feature after 10 attempts
  • 65. Enable Remote Management • For true Enterprise level management you must use a third-party MDM – Decide which type of enrollment is best for you – Whitelist approach may be best • Allow only devices you have authorized • BYOD: policy sign-off?
  • 66. Don’t Allow Rooting or Jailbreaking • Removes some built-in security features and sandboxing • Can leave you vulnerable to malicious applications • Ensure third-party MDM solutions prevent or detect rooting/jailbreaking • Address this in your mobile device policy
  • 67. Android Specific Best Practices • Enable Password Lock Screen vs. Face Unlock or Pattern • Disable USB Debugging • Enable Full Disk Encryption • Download apps only from official app stores – Google Play – Amazon 67
  • 68. Where to Find More Information • Links to all the tools and articles mentioned in this presentation: http://MobileDeviceSecurity.info • My presentations: http://SpyLogic.net
  • 69. Thank you for your time! Email: teston@securestate.com Twitter: agent0x0 QUESTIONS ANSWERS 69